Date: Wed, 9 Mar 2016 09:32:59 -0800 (PST) From: Don Lewis <truckman@FreeBSD.org> To: freebsd-ipfw@freebsd.org Subject: ipwf dummynet vs. kernel NAT and firewall rules Message-ID: <201603091733.u29HX05o011028@gw.catspoiler.org>
next in thread | raw e-mail | index | archive | help
I'm trying to add FQ-CoDEL AQM to my FreeBSD 10 firewall box using this patch: <http://caia.swin.edu.au/freebsd/aqm/downloads.html>, but I'm running into a problem that I think is caused by an interaction between in-kernel NAT and dummynet. I've set up two dummynet pipe/sched/queue instances using example 3.3a from this document <http://caia.swin.edu.au/freebsd/aqm/patches/README-0.1.txt>; with the appropriate bandwidths, but otherwise default tunings to shape both inbound and outbound traffic. My inside network is a /24 and I have an external /29 (ext/29) network that I don't want to rate limit. My outside network interface is re0. I'm using the /etc/rc.firewall "simple" firewall configuration. The problem that I'm having crops up when I actually try to add the firewall rules to select the traffic that I want to rate limit. The first rule in the list is: 100 allow ip from any to any via lo0 The second rule is numbered 200 and is first anti-spoofing rule. If I add *either* of these two rules, then I'm no longer able to communicate between hosts on my internal network and the rest of the world: ipfw 110 add queue 1 ip from not ext/29 to any in recv re0 ipfw 120 add queue 2 ip from any to not ext/29 out xmit re0 It seems like the inbound rule should be early in the rule list so that any inbound traffic that gets dropped by the firewall rules gets counted even if it is dropped by later rules. It also seems like the outbound rule needs to be before any allow rules since an allow rule would skip the remaining rules and would not count that traffic. Unfortunately the ipfw documentation doesn't really describe the interaction between dummynet, NAT, and other firewall rules. Unfortunately this is a live system, so it is difficult to do controlled experiments and look at the ipfw counters to see where things might be going into the weeds ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603091733.u29HX05o011028>